EP3338214B1 - Secure computation environment - Google Patents

Secure computation environment Download PDF

Info

Publication number
EP3338214B1
EP3338214B1 EP16839800.6A EP16839800A EP3338214B1 EP 3338214 B1 EP3338214 B1 EP 3338214B1 EP 16839800 A EP16839800 A EP 16839800A EP 3338214 B1 EP3338214 B1 EP 3338214B1
Authority
EP
European Patent Office
Prior art keywords
container
computation environment
manager
memory
resources
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP16839800.6A
Other languages
German (de)
French (fr)
Other versions
EP3338214A1 (en
EP3338214A4 (en
Inventor
Ambuj Kumar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cryptography Research Inc
Original Assignee
Cryptography Research Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cryptography Research Inc filed Critical Cryptography Research Inc
Publication of EP3338214A1 publication Critical patent/EP3338214A1/en
Publication of EP3338214A4 publication Critical patent/EP3338214A4/en
Application granted granted Critical
Publication of EP3338214B1 publication Critical patent/EP3338214B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/575Secure boot
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • a container corresponding to executable code may be received.
  • a container manager resident in a memory of a computation environment may be executed to verify the container.
  • the container manager may be verified by a boot loader of the computation environment.
  • Permissions of the container to access the resources of a computation environment may be determined after the verification of the container by the container manager.
  • Access to one or more resources of the computation environment may be provided by transferring control to the one or more resources from the container manager to the container based on the permissions of the container for the resources of the computation environment.
  • a safe computing environment can be provided for ensuring the safety and/or management of a device.
  • the safe computing environment can be secured by a safe component that isolates and protects it from unsafe computing environments which may also be operating.
  • various security and management activities can be securely performed from a safe computing environment.
  • a safe computing environment can, for example, be provided on a device as a safe virtual computing environment (e.g., a safe virtual machine) protected by a safe virtual computing monitor (e.g., a safe virtual machine monitor) from one or more other virtual computing environments that are not known or not believed to be safe for the device.
  • the safe components can, for example, be provided as trusted components for a device.
  • various trusted components or agent
  • US 2010/0023739 relates to machine-readable media, methods, apparatus and a system for booting a processing system.
  • whether an encrypted version of a closed operating system is authentic may be determined.
  • the encrypted version of the closed operating system may be decrypted with a key retrieved from a processor register to provide the closed operating system, based at least in part on a determination that the encrypted version of the closed operating system is authentic.
  • whether the closed operating system is authentic may be determined and a virtual machine may be created so that the closed operating system may be launched in the virtual machine, if the closed operating system is authentic.
  • US 2010/0023743 relates to Methods and an apparatus to measure the integrity of a virtual machine monitor and an operating system via secure launch are disclosed.
  • a method measures a first characteristic of a virtual machine monitor, stores the first measured characteristic in a first hardware protected location, measures a second characteristic of an operating system with the virtual machine monitor, wherein the measuring of the second characteristic is initiated by the operating system, and stores the second measured characteristic in a second hardware protected location.
  • a system or device may include a bootloader, a container manager, and one or more containers that may be used to provide a secure computation environment.
  • the bootloader may be a hardware-based state machine that may be initiated or executed in response to an initialization of the system or device.
  • a container manager that is stored in a memory, such as a read-only-memory (ROM) of the system or is stored via the interconnect of the system or device (e.g., as represented by a netlist), or stored in flash memory or other storage on the system or device, may be executed after the bootloader has performed initialization procedures for the secure computation environment and has verified the container manager.
  • ROM read-only-memory
  • the bootloader may verify the container manager.
  • the verification may include hashing and comparing the result with an expected result.
  • the hashing may correspond to a Secure Hash Algorithm (SHA) operation such as an SHA-2 or SHA-3 operation.
  • the verification may include the bootloader using public key cryptography.
  • the verification may be based on an Elliptic Curve Cryptography Digital Signature (ECDS) operation.
  • the bootloader may allow the container manager to control a central processing unit (CPU) or other such processing device or hardware of the secure computation environment of the system or device.
  • the container manager may be the software of the system or device with higher or highest privileges that provide certain functionality to subsequently received containers that correspond to unsecure user code.
  • the bootloader may verify the container manager and authorize the container manager to control a CPU of the system or device after the container manager has been verified.
  • the container manager may provide a framework for the execution of containers.
  • Each container may correspond to executable code or instructions (e.g., received after manufacturing of the system or device) and permissions to access certain functionality or resources of the system or device.
  • the container manager may receive and execute the containers in series so that the resources of the secure computation environment of the system or device are shared, or timeshared, by the containers.
  • the framework provided by the container manager may further facilitate communication or interaction between containers.
  • the container manager may execute a first container and receive data from the first container that is to be stored in an inter-process communication (IPC) register or memory.
  • the first container may further specify to the container manager an identification of a subsequent container that is authorized to receive the data.
  • the container manager may subsequently store the data received from the first container, an identification of the recipient container (e.g., the identification of the subsequent container to which the data is intended to be received), and an identification of the sender of the data (e.g., the first container) in the IPC register or memory.
  • Subsequent containers may be executed by the container manager and when the second container is executed by the container manager, the container manager may provide the data from the first container that is stored in the IPC register to the second container so that the data may be used during the execution of the second container.
  • the container manager may restrict access to the IPC register or memory if the second container's identification is different from the recipient container's identification.
  • the container manager may store the sender container identification in the IPC itself register or memory so that the sender container may not provide a false identification.
  • the container manager may further provide functionality to a container to communicate with components or entities outside of the secure computation environment.
  • the system may include high-level operating system (HLOS) registers or memory that may be used to provide an indication of a request for data from a container and receive the corresponding data for the container from an external entity that is outside of the secure computation environment.
  • HLOS high-level operating system
  • a container may transmit data to the container manager for storage at a HLOS register that indicates a request for a particular type of data.
  • An external software application or component may access the HLOS register and may identify that the HLOS register currently indicates the request for the particular type of data.
  • the external software application or component may provide the requested data for the HLOS register and the container manager may allow the container to retrieve the data received from the external software application or component that is currently stored in the HLOS register or memory.
  • the secure computation environment may allow a container to verify the container manager.
  • the bootloader may provide a version number or other such identification of the container manager when the bootloader is executed and may store the version number in a particular register or memory location.
  • a container that is executed by the container manager may include instructions to verify the version number of the container manager.
  • the container may be provided access to the version number in the particular register or memory location and may be executed based on the version number of the container manager. For example, if the version number of the container manager matches an authorized version number of the container manager from the instructions of the container, then the container may be executed. However, if the version number of the container manager does not match the authorized version number of the container manager from the instructions of the container, then the container may not further execute or perform operations of its instructions.
  • aspects of the present disclosure may provide for a secure computation environment where a bootloader of a system or a device may verify a container manager that may further provide a framework for the execution of user code in the form of containers. Furthermore, the containers may further verify the container manager so that the execution of the containers may be performed in a secure computation environment.
  • Fig. 1 illustrates an example secure computation environment 100 with a bootloader 110, a container manager 121 stored in a read-only memory 120, and one or more containers 130.
  • the secure computation environment 100 may correspond to a portion of a system or a device that provides a secure computation environment for one or more containers 130.
  • the secure computation environment 100 may include a bootloader 110 that interacts with a container manager 121 that is stored in a read-only memory (ROM) 120 of a device that includes the secure computation environment 100.
  • the bootloader 110 may be a hardware-based state machine that is executed in response to an initialization (i.e., power-up) of the secure computation environment 100 or a device that includes the secure computation environment 100.
  • the bootloader 110 may perform a series of power-on self-tests (e.g., a procedure performed immediately after power-on or start up) of the secure computation environment 100.
  • the self tests performed by the bootloader 110 may include a verification or performance test of the hardware components of the secure computation environment 100.
  • the self-tests may include a test of the CPU or processing device that is part of the secure computation environment 100.
  • the bootloader 110 may further perform an integrity check of the contents of the ROM 120 of the secure computation environment 100.
  • the bootloader 110 may perform a verification or integrity check of the container manager 121 by retrieving the contents of the container manager 121 and computing an integrity check value of the contents of the container manager 121.
  • the computed integrity check value may be compared with another stored integrity check value to determine the authenticity or verification of the container manager 121.
  • the integrity check value may correspond to a hash value that is based on a hash function that is used to map digital data of arbitrary size (e.g., the contents of the container manager 121) to digital data of a fixed size (e.g., the computed integrity check value). Further details with regard to the execution of the bootloader are described in conjunction with Fig. 3 .
  • the bootloader 110 may initiate or execute the container manager 121 that is stored in the ROM 120.
  • the bootloader 110 may initiate the container manager 121 after verifying the CPU and the ROM 120 or other memory of the secure computation environment 100. The control of the CPU or other hardware resources of the secure computation environment 100 may then be provided from the bootloader 110 to the container manager 121.
  • the container manager 121 may correspond to a trusted embedded light-weight software that provides functionality to hardware resources and software resources of the secure computation environment.
  • the container manager 121 may provide an application programming interface (API) that defines functionalities such as system calls to access software resources or hardware resources of the secure computation environment 100.
  • API application programming interface
  • the container manager 121 may further receive one or more containers 130 that correspond to untrusted user code that is received from outside of the secure computation environment 100.
  • the container manager 121 may verify permissions of a received container 130 to access resources of the secure computation environment 100, verify the authenticity of the received container 130, and provide a framework for communication between containers 130 as well as communication between containers 130 and external entities or components that are external to the secure computation environment 100. Further details with regard to the container manager 121 are disclosed in conjunction with Figs. 5A-10 .
  • the container manager 121 may be executed in response to receiving one of the containers 130 or in response to one of the containers 130 executing a system call to access resources of the secure computation environment 100. After a verification of a received container, the container manager 121 may provide control of the CPU or processing device of the secure computation environment 100 to the received container. Each of the one or more containers 130 may further correspond to untrusted user code that provides instructions and/or data for accessing resources of the secure computation environment 100. As described in additional detail with regard to Fig. 5A , the containers 130 may be received in a series so that the resources of the secure computation environment 100 are timeshared between the containers 130.
  • Fig. 2 illustrates an example architecture 200 of a secure computation environment.
  • the architecture 200 may include a bootloader 210 that corresponds to the bootloader 110 of Fig. 1 , a container manager 250 that corresponds to the container manager 121 of Fig. 1 , and a container 240 that corresponds to the one or more containers 130 of Fig. 1 .
  • the architecture 200 may include the bootloader 210 that controls a CPU 220 or other such processing device, a container manager 250 that is stored in ROM or other such memory, and a container 240 that is stored in static random access memory (SRAM) or other such memory.
  • a memory bus 230 may couple the container 240 and the container manager 250 with the bootloader 210 and other resources 232A-H of the architecture 200.
  • the architecture 200 may include a resource enforcement core 260 that enforces control or access to the resources 232A-H of the architecture 200.
  • resources may include, but are not limited to, one-time programmable (OTP) memory writes or burns, OTP reads, feature reads, feature writes, reading of cryptographic keys, updating of cryptographic keys, general purpose input/output (GPIO) reads, GPIO writes, an ability to execute code or instructions via or on the CPU 220, access to an executable region of the SRAM, read access to a particular portion of any such memory, write access to a particular portion of such memory, etc.
  • the accesses may be fine grained.
  • the resource enforcement core may allow write access to one byte of the OTP but not to the next byte.
  • Other resources may include access to functionality of cores 251 that are stored in ROM.
  • cores 251 may correspond to elliptic curve cryptography (ECC) key generation, ECC signature verification, ECC signature generation, cryptographic key exchange, RSA key generation, RSA encryption or decryption, Advanced Encryption Standard (AES) encryption or decryption, SHA-2 or SHA-3 functionalities etc.
  • ECC elliptic curve cryptography
  • AES Advanced Encryption Standard
  • the resource enforcement core 260 may be programmed by the container manager 250 before the execution of each container 240.
  • a container 240 may include an identification of permissions to the features or resources 232A-H and the container manager 250 may program registers or memory of the resource enforcement core 260 based on the permissions of a container 240 that is to be executed.
  • the resource enforcement core 260 may enforce access to the resources 232AH via a secure bus 231 for containers 240 that have been verified by the container manager 250.
  • one or more of the resources 232A-H may be coupled to external components of a device that includes the architecture 200.
  • a resource 232B may be coupled to another system on a chip (SoC), OTP memory, a random number generator component, or other such components that are external to the secure computation environment.
  • SoC system on a chip
  • Fig. 3 is a flow diagram of an example method 300 to provide a secure computation environment.
  • the method 300 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
  • the method 300 corresponds to an execution flow between the bootloader 110 or 210 of Figs. 1 or 2 , the container manager 121 or 250 of Figs. 1 or 2 , and a container 130 or 240 of Figs. 1 or 2 .
  • the method 300 may begin with the processing logic performing a verification of a secure computation environment in response to an initialization of a system or a device that includes the secure computation environment (block 310).
  • a bootloader may perform a self-test of the secure computation environment that verifies hardware resources and a container manager.
  • the processing logic may further provide access to a CPU to a container manager after the verification of the secure computation environment (block 320).
  • the control of the CPU may be transferred from the bootloader to the container manager and the container manager may be initiated or executed.
  • the processing logic may further receive a container (block 330).
  • executable code may be received.
  • the processing logic may subsequently execute the container manager in response to receiving the container (block 340).
  • the container manager may be executed each time that a container is received.
  • containers may be received in a series so that the containers timeshare the resources of the secure computation environment.
  • the container manager may be separately executed each time that one of the containers is received.
  • the container manager is executed a first time in response to receiving the first container and the container manager may be again executed a second time in response to receiving the subsequent container.
  • the container manager may be executed on-demand based on the receiving of containers.
  • the container manager may be executed after the received container initiates a system call to access a resource of the secure computation environment.
  • the processing logic may verify the container based on the container manager (block 350).
  • the processing logic may further execute the container (block 360).
  • control or access to the CPU may be provided so that instructions of the container are executed.
  • access or control of the CPU may be provided from the container manager to the container.
  • Fig. 4 is a flow diagram of an example method 400 to execute a bootloader of a secure computation environment.
  • the method 400 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
  • the method 400 corresponds to an execution flow of the bootloader 110 or 210 of Figs. 1 or 2 .
  • the method 400 may begin with the processing logic detecting an initialization of a secure computation environment (block 410).
  • a device or system that includes the secure computation environment may be powered on or initiated after a reset.
  • the processing logic may subsequently perform a self-test of the secure computation environment (block 420).
  • a hardware-based state machine may perform a series of steps or tests of one or more components of the secure computation environment.
  • An example of such a component includes, but is not limited to, a CPU or a memory of the secure computation environment.
  • the processing logic may further retrieve contents of a container manager and a stored integrity check value (block 430).
  • the contents of the container manager may be retrieved from a ROM of the secure computation environment and the stored integrity check value may be retrieved from the same ROM or another memory location within the secure computation environment.
  • the processing logic may subsequently calculate a container manager integrity check value based on the contents of the container manager (block 440). For example, a hash function may be performed on the contents, or a portion of the contents, of the container manager to determine the container manager integrity check value.
  • the processing logic may subsequently compare the stored integrity check value with the container manager integrity check value (block 450). Furthermore, the processing logic may provide access to a CPU, or other such processing device or hardware resource, of the secure computation environment for the container manager based on the comparison of the integrity check values (block 460). For example, if the container manager integrity check value matches the stored integrity check value, then the container manager may be considered to be verified or authenticated and the access or control of the CPU may be provided to the container manager from the bootloader. However, if the container manager integrity check value does not match the stored integrity check value, then the container manager may be considered to be unverified or unauthorized and the access or control of the CPU may not be provided to the container manager from the bootloader.
  • the bootloader may perform a self-test of resources of the secure computation environment and a verification of a container manager. After a successful self-test and a successful verification of the container manager, control or access to a CPU or processing device of the secure computation environment may be provided to the container manager. In some embodiments, the providing of the control or access to the CPU or processing device for a container manager may correspond to the using of the CPU or processing device for operations of the container manager.
  • Fig. 5A is a flow diagram of an example method 500 to provide timesharing of resources of a secure computation environment.
  • the method 500 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
  • the method 500 may be performed by the container manager 121 or 250 of Figs. 1 or 2 .
  • the method 500 may begin with the processing logic receiving a first container (block 501).
  • a container manager may receive a container after an initialization or execution of the container manager.
  • the container manager may be executed after a system call for accessing of resources of the secure computation environment has been received.
  • the processing logic may further provide access to resources of the secure computation environment to the first container (block 502).
  • access to a CPU may be provided from the container manager to the first container.
  • the providing of the control or access to the CPU or processing device for a container may correspond to the using of the CPU or processing device for operations or instructions of the container.
  • the processing logic may subsequently execute the first container (block 503).
  • instructions of the first container may be performed by the CPU of the secure computation environment. Further details with regard to the execution of a container are described with regard to Fig. 5B .
  • the processing logic may subsequently receive a second container after a completion of the execution of the first container (block 504).
  • the second container may be received by the container manager after the first container.
  • the processing logic may then provide access to resources of the secure computation environment to the second container (block 505) and may execute the second container (block 506).
  • the resources of the secure computation environment may be timeshared between a series of containers. For example, a portion of the resources may be provided to a first container at a first time, and the portion or another portion of the resources may be provided to a subsequent second container at a second time that is after the first time.
  • Fig. 5B is a flow diagram of an example method 509 to execute a container manager of a secure computation environment.
  • the method 509 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
  • the method 509 may be performed by the container manager 121 or 250 of Figs. 1 or 2 .
  • the method 509 may begin with the processing logic initializing a container manager (block 510).
  • the container manager may be initiated by a bootloader.
  • the initiation of the container manager may perform an initial setup or an initialization routine of the container manager.
  • the processing logic may further receive a first container (block 520).
  • the processing logic may execute the container manager in response to receiving the first container by providing control or access to a CPU to the container manager (block 530).
  • the processing logic may subsequently verify the first container (block 540).
  • the container manager may verify a signature of the first container.
  • the container manager may access a public key and verify a signature of the first container that is created by a corresponding private key (e.g., of a public-private key pair). For example, the container manager may access a symmetric key and may use a hash message authentication code (HMAC) operation to verify a signature of the first container that is created by a corresponding key. For example, the container manager may unconditionally consider the first container to be verified. In some embodiments, the container manager may further verify other properties of the container such as a format of the container, a version of the container, etc. In some embodiments, the verification of the container may further include a determination of the permissions of the container to access resources of the secure computation environment.
  • HMAC hash message authentication code
  • one or more registers accessed by a resource enforcement core may be updated to reflect the permissions associated with the container to access the resources of the secure computation environment.
  • the container manager may dynamically modify the registers in the resource enforcement core as the container executes. Such a dynamic modification may change the permission granted to the container dynamically.
  • the container manager may provide an application programming interface (API) for the container to facilitate the updating of the registers.
  • API application programming interface
  • the processing logic may subsequently execute the first container in response to the verification of the first container by providing control or access of a CPU to the first container (block 550). For example, instructions of the first container may be executed by the CPU if the container satisfies particular cryptographic properties (e.g., the cryptographic signature is valid).
  • the processing logic may further detect a completion of the execution of the first container (block 560). Subsequently, the processing logic may provide control of the CPU to the container manager (block 570). For example, the control or access to the CPU may be returned to the container manager from the container.
  • the processing logic may further store state information of the first container into a memory (block 580). For example, the first container may store some data in the IPC memory or register for subsequent containers to use. For example, the first container may allow a subsequent container to operate with some of the permissions attributed to the first container. For example, the container manager may track the number of containers run so far and may provide this information to the containers or to the HLOS memory or register.
  • the container manager may use an identification of a container to decide which resources the container may have access to.
  • the identification of a container may be its hash (e.g., SHA-2 or SHA-3).
  • the identification may be the container's public key cryptography signature (e.g., ECSDA), or the public key corresponding to the private key to generate the signature.
  • the identification may be the container's HMAC.
  • the identification may also include a version number or revision number of the container that identifies a revision history of the executable code of the container.
  • the identification may be a hash of a combination of various fields (e.g., the identification is the result of an SHA-2 operation of the public key and revision number of the container).
  • the container manager may be executed in response to the receiving of a container and any other subsequent containers.
  • Control or access to a CPU or other hardware resources of a secure computation environment may be provided to a container in response to a verification of the container by the container manager.
  • the control or access to the CPU may be returned to the container manager and state information of the container that was executed may be stored in a memory of the secure computation environment.
  • Fig. 6 is a flow diagram of an example method 600 to update a container manager.
  • the method 600 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
  • the method 600 may be performed by the container manager 121 or 250 or another component of a secure computation environment of Figs. 1 or 2 .
  • the method 600 may begin with the processing logic receiving a request to update a container manager (block 610).
  • the request to update the container manager may identify a particular instruction or operation of the container manager and a memory address location for the contents of the instruction or operation.
  • the processing logic may further retrieve a function table associated with the container manager (block 620).
  • the function table may correspond to ordered pairs of entries where a first entry of a pair identifies a particular type of instruction or operation and the second entry of the pair identifies a memory address location that includes contents for the instruction or operation.
  • the processing logic may subsequently update at least one field of the function table that corresponds to the memory address (block 630).
  • the function table may be stored in a memory where the memory may be modified to change a memory address location to a new memory address location.
  • the execution of the container manager may be based on a use of the function table.
  • the container manager may be used with the function table to perform instructions or operations based on the memory address location corresponding to an instruction or operation.
  • the updating of the container manager may result in a change of a memory address location for at least one instruction or operation of the container manager.
  • the processing logic may increment a version number associated with the container manager in response to the updating of the function table (block 640).
  • the version number located in a memory location may be incremented or increased in response to the updating of the container manager.
  • the version number may be stored by the bootloader in OTP or other non-volatile medium (NVM).
  • the bootloader may restrict any containers from execution if the current version number is not higher or equal to the maximum of all the previously stored version numbers.
  • the version number of the container manager may be provided to containers. Each container may retrieve the version number of the container manager and may compare the version number of the container manager to a version number identified within the container.
  • the container may not execute (e.g., the instructions of the container manager may not be performed). However, if the version number of the container manager does match the version number identified within the container, then the container may execute. As such, the version number of the container manager may be used by a container to verify the container manager before the execution of the container.
  • Fig. 7 illustrates an example environment 700 of a container manager interacting with one or more containers.
  • the environment 700 may include a container manager 720 that corresponds to the container manager 121 or 250 of Figs. 1 or 2 .
  • the environment 700 may include a container manager 720 that receives one or more containers 710.
  • the container manager 720 may further be coupled to a high level operating system (HLOS) register or memory 730 and an inter-process communication (IPC) register or memory 740.
  • the container manager 720 may execute one of the containers 710 and may provide an indication of a request for data from the executed container to a component that is external to the secure computation environment via the HLOS memory 730.
  • the container manager 720 may subsequently retrieve the data from the HLOS memory 730 and provide the data to the executed container. Further details with regard to the HLOS memory 730 are described in conjunction with Fig. 10 .
  • the container manager may further provide access to an IPC memory 740 to provide communication between at least two of the containers 710. For example, data may be received from a first container that is received and executed by the container manager 720 and the data may be stored in the IPC memory 740 for retrieval by a subsequent second container that is received by the container manager 720. Further details with regard to the IPC memory 740 are described in conjunction with Figs. 8-9 .
  • Fig. 8 illustrates an example method 800 to provide interaction between containers.
  • the method 800 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
  • the method 800 may be performed by the container manager 121 or 250 or another component of a secure computation environment of Figs. 1 or 2 .
  • the method 800 may begin with the processing logic receiving data from a first container during the execution of the first container (block 810).
  • the processing logic may further receive a recipient identification for the data from the first container (block 820).
  • the recipient identification may correspond to the identification of another container.
  • the processing logic may subsequently store the received data, the recipient identification of the other container, and a sender identification of the data that corresponds to the first container in an inter-process communication (IPC) memory or register (block 830).
  • IPC inter-process communication
  • the processing logic may subsequently execute a second container (block 840).
  • a second container may be received after the receiving and execution of the first container.
  • the processing logic may identify that the identification of the second container matches the recipient identification for the data that is stored in the IPC memory (block 850).
  • the processing logic may provide access to the data and the sender identification at the IPC memory to the second container (block 860).
  • the second container may execute instructions with the data from the IPC memory based on a condition associated with the sender identification of the data. For example, the instructions may be executed if the sender identification matches a particular sender identification from the second container or the instructions may not be executed if the sender identification does not match a particular sender identification from the second container.
  • data from a first container may be stored in a memory location of a secure computation environment.
  • a second container that is executed after the first container may be provided access to the data at the memory location.
  • Fig. 9 illustrates an example of containers interacting with a memory.
  • a container manager 910 which may correspond to the container manager 121 or 250 of Figs. 1 or 2 , may provide interaction between containers based on an IPC memory 940.
  • the container manager 910 may be coupled to an IPC memory 940 and a container pipeline 924.
  • the container pipeline 924 may include a first container 920 'A,' a second container 921 'B,' and a third container 922 'C.'
  • the container manager 910 may receive the first container 920 'A' which may be executed.
  • the instructions of the first container 920 'A' may specify for data A to be stored in the IPC memory 940 for the third container 922 'C.
  • the container manager 910 may store an entry in the IPC memory 940 that includes the data A, an identification of the first container 920 (e.g., sender 'A'), and a recipient of the data (e.g., recipient 'C').
  • the container manager 910 may subsequently receive the second container 921 'B' after the completion of the execution of the first container 920 'A.'
  • the second container 921 'B' may not be allowed access to the data in the IPC memory 940 as the identification of the second container 921 (e.g., 'B') does not match the recipient identification of the data (e.g., 'C').
  • the container manager 910 may receive the third container 922 'C.' Since the identification of the third container 922 (e.g., 'C') matches the recipient identification for the data in the IPC memory 940, the container manager 910 may provide access to the data in the IPC memory 940 to the third container 922 with the identification of 'C.'
  • Fig. 10 illustrates an example method 1000 of a container interacting with a component outside of the secure computation environment.
  • the method 1000 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof.
  • the method 1000 may be performed by the container manager 121 or 250 or another component of a secure computation environment of Figs. 1 or 2 .
  • the method 1000 may begin with the processing logic receiving a request from a container for data that is external to a secure computation environment (block 1010).
  • the data may correspond to data that is received from a component of a device that is not within the secure computation environment.
  • the processing logic may subsequently provide an indication of the request from the container in a high level operating system (HLOS) memory or register (block 1020).
  • HLOS high level operating system
  • a container manager may modify the contents of an HLOS memory to indicate that a component within the secure computation environment has requested data from a component that is coupled to the HLOS memory.
  • the processing logic may subsequently receive the data from an entity that is external to the secure computation environment via the HLOS memory (block 1030).
  • the component that is not within the secure computation environment may provide the data that has been requested by storing the data into the HLOS memory.
  • the processing logic may provide the data form the HLOS memory to the container (block 1040).
  • the container manager may retrieve the data that has been stored in the HLOS memory and may provide the data to the container for execution by the container.
  • the HLOS memory may be the only memory locations within the secure computation environment that are accessible to entities or components that are external to the secure computation environment.
  • Fig. 11 illustrates an example machine of a computer system 1100 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.
  • the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet.
  • the machine may operate in the capacity of a server or a client machine in client-server network environment, as a peer machine in a peer-to-peer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment.
  • the machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • PC personal computer
  • PDA Personal Digital Assistant
  • STB set-top box
  • STB set-top box
  • a cellular telephone a web appliance
  • server a server
  • network router a network router
  • switch or bridge any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
  • machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
  • the example computer system 1100 includes a processing device 1102, a main memory 1104 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 1106 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 1118, which communicate with each other via a bus 1130.
  • main memory 1104 e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.
  • DRAM dynamic random access memory
  • SDRAM synchronous DRAM
  • RDRAM Rambus DRAM
  • static memory 1106 e.g., flash memory, static random access memory (SRAM), etc.
  • SRAM static random access memory
  • Processing device 1102 represents one or more general-purpose processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 1102 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 1102 is configured to execute instructions 1126 for performing the operations and steps discussed herein.
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • DSP digital signal processor
  • the computer system 1100 may further include a network interface device 1108 to communicate over the network 1120.
  • the computer system 1100 also may include a video display unit 1110 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 1112 (e.g., a keyboard), a cursor control device 1114 (e.g., a mouse), a graphics processing unit 1122, a signal generation device 1116 (e.g., a speaker), graphics processing unit 1122, video processing unit 1128, and audio processing unit 1132.
  • a video display unit 1110 e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)
  • an alphanumeric input device 1112 e.g., a keyboard
  • a cursor control device 1114 e.g., a mouse
  • a graphics processing unit 1122 e.g., a signal generation device 1116 (e.g
  • the data storage device 1118 may include a machine-readable storage medium 1124 (also known as a computer-readable medium) on which is stored one or more sets of instructions or software 1126 embodying any one or more of the methodologies or functions described herein.
  • the instructions 1126 may also reside, completely or at least partially, within the main memory 1104 and/or within the processing device 1102 during execution thereof by the computer system 1100, the main memory 1104 and the processing device 1102 also constituting machine-readable storage media.
  • the instructions 1126 include instructions to implement functionality corresponding to a container manager (e.g., container manager 121 or 200 Figs. 1 or 2 ). While the machine-readable storage medium 1124 is shown in an example implementation to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term “machine-readable storage medium” shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure. The term “machine-readable storage medium” shall accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media.
  • the present disclosure also relates to an apparatus for performing the operations herein.
  • This apparatus may be specially constructed for the intended purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer.
  • a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
  • the present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure.
  • a machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer).
  • a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as a read only memory (“ROM”), random access memory (“RAM”), magnetic disk storage media, optical storage media, flash memory devices, etc.

Description

    ABSTRACT
  • A container corresponding to executable code may be received. In response to receiving the container, a container manager resident in a memory of a computation environment may be executed to verify the container. The container manager may be verified by a boot loader of the computation environment. Permissions of the container to access the resources of a computation environment may be determined after the verification of the container by the container manager. Access to one or more resources of the computation environment may be provided by transferring control to the one or more resources from the container manager to the container based on the permissions of the container for the resources of the computation environment.
    • BACKGROUND OF THE RELATED ART
  • US 2009/0265756 A1 relates to techniques for managing and protecting computing environments are disclosed. A safe computing environment can be provided for ensuring the safety and/or management of a device. The safe computing environment can be secured by a safe component that isolates and protects it from unsafe computing environments which may also be operating. As a result, various security and management activities can be securely performed from a safe computing environment. A safe computing environment can, for example, be provided on a device as a safe virtual computing environment (e.g., a safe virtual machine) protected by a safe virtual computing monitor (e.g., a safe virtual machine monitor) from one or more other virtual computing environments that are not known or not believed to be safe for the device. It will also be appreciated that the safe components can, for example, be provided as trusted components for a device. As such, various trusted components (or agent) can operate in a trusted computing environment secured from interference by components that many not be trusted and perform various security and/or management tasks alone or in connection, for example, with other trusted components (e.g., trusted serves).
  • US 2010/0023739 relates to machine-readable media, methods, apparatus and a system for booting a processing system. In an embodiment, whether an encrypted version of a closed operating system is authentic may be determined. The encrypted version of the closed operating system may be decrypted with a key retrieved from a processor register to provide the closed operating system, based at least in part on a determination that the encrypted version of the closed operating system is authentic. Then, whether the closed operating system is authentic may be determined and a virtual machine may be created so that the closed operating system may be launched in the virtual machine, if the closed operating system is authentic.
  • US 2010/0023743 relates to Methods and an apparatus to measure the integrity of a virtual machine monitor and an operating system via secure launch are disclosed. In one example, a method measures a first characteristic of a virtual machine monitor, stores the first measured characteristic in a first hardware protected location, measures a second characteristic of an operating system with the virtual machine monitor, wherein the measuring of the second characteristic is initiated by the operating system, and stores the second measured characteristic in a second hardware protected location.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings of various implementations of the disclosure.
    • FIG. 1 illustrates an example secure computation environment with a bootloader, a container manager, and one or more containers in accordance with some embodiments of the present disclosure.
    • FIG. 2 illustrates an example architecture of a secure computation environment in accordance with some embodiments.
    • FIG. 3 is a flow diagram of an example method to provide a secure computation environment in accordance with some embodiments of the present disclosure.
    • FIG. 4 is a flow diagram of an example method to execute a bootloader of a secure computation environment in accordance with some embodiments.
    • FIG. 5A is a flow diagram of an example method to provide timesharing of resources of a secure computation environment in accordance with some embodiments of the present disclosure.
    • FIG. 5B is a flow diagram of an example method to execute a container manager of a secure computation environment in accordance with some embodiments of the present disclosure.
    • FIG. 6 is a flow diagram of an example method to update a container manager in accordance with some embodiments of the present disclosure.
    • FIG. 7 illustrates an example container manager interacting with one or more containers and memory locations in accordance with some embodiments.
    • FIG. 8 illustrates an example method to provide interaction between containers in accordance with some embodiments of the present disclosure.
    • FIG. 9 illustrates an example of containers interacting with a memory in accordance with some embodiments.
    • FIG. 10 illustrates an example method of a container interacting with a component outside of the secure computation environment in accordance with some embodiments.
    • FIG. 11 illustrates a block diagram of an embodiment of a computer system in which some embodiments of the disclosure may operate.
    DETAILED DESCRIPTION
  • Aspects of the present disclosure are directed to a secure computation environment. A system or device may include a bootloader, a container manager, and one or more containers that may be used to provide a secure computation environment. The bootloader may be a hardware-based state machine that may be initiated or executed in response to an initialization of the system or device. During the execution of the bootloader, a container manager that is stored in a memory, such as a read-only-memory (ROM) of the system or is stored via the interconnect of the system or device (e.g., as represented by a netlist), or stored in flash memory or other storage on the system or device, may be executed after the bootloader has performed initialization procedures for the secure computation environment and has verified the container manager.
  • The bootloader may verify the container manager. The verification may include hashing and comparing the result with an expected result. For example, the hashing may correspond to a Secure Hash Algorithm (SHA) operation such as an SHA-2 or SHA-3 operation. Alternatively, the verification may include the bootloader using public key cryptography. For example, the verification may be based on an Elliptic Curve Cryptography Digital Signature (ECDS) operation. After the container manager has been verified, the bootloader may allow the container manager to control a central processing unit (CPU) or other such processing device or hardware of the secure computation environment of the system or device. The container manager may be the software of the system or device with higher or highest privileges that provide certain functionality to subsequently received containers that correspond to unsecure user code. Thus, the bootloader may verify the container manager and authorize the container manager to control a CPU of the system or device after the container manager has been verified.
  • The container manager may provide a framework for the execution of containers. Each container may correspond to executable code or instructions (e.g., received after manufacturing of the system or device) and permissions to access certain functionality or resources of the system or device. The container manager may receive and execute the containers in series so that the resources of the secure computation environment of the system or device are shared, or timeshared, by the containers.
  • The framework provided by the container manager may further facilitate communication or interaction between containers. For example, the container manager may execute a first container and receive data from the first container that is to be stored in an inter-process communication (IPC) register or memory. The first container may further specify to the container manager an identification of a subsequent container that is authorized to receive the data. The container manager may subsequently store the data received from the first container, an identification of the recipient container (e.g., the identification of the subsequent container to which the data is intended to be received), and an identification of the sender of the data (e.g., the first container) in the IPC register or memory. Subsequent containers may be executed by the container manager and when the second container is executed by the container manager, the container manager may provide the data from the first container that is stored in the IPC register to the second container so that the data may be used during the execution of the second container. The container manager may restrict access to the IPC register or memory if the second container's identification is different from the recipient container's identification. The container manager may store the sender container identification in the IPC itself register or memory so that the sender container may not provide a false identification.
  • The container manager may further provide functionality to a container to communicate with components or entities outside of the secure computation environment. For example, the system may include high-level operating system (HLOS) registers or memory that may be used to provide an indication of a request for data from a container and receive the corresponding data for the container from an external entity that is outside of the secure computation environment. For example, a container may transmit data to the container manager for storage at a HLOS register that indicates a request for a particular type of data. An external software application or component may access the HLOS register and may identify that the HLOS register currently indicates the request for the particular type of data. In response, the external software application or component may provide the requested data for the HLOS register and the container manager may allow the container to retrieve the data received from the external software application or component that is currently stored in the HLOS register or memory.
  • Furthermore, the secure computation environment may allow a container to verify the container manager. For example, the bootloader may provide a version number or other such identification of the container manager when the bootloader is executed and may store the version number in a particular register or memory location. A container that is executed by the container manager may include instructions to verify the version number of the container manager. For example, the container may be provided access to the version number in the particular register or memory location and may be executed based on the version number of the container manager. For example, if the version number of the container manager matches an authorized version number of the container manager from the instructions of the container, then the container may be executed. However, if the version number of the container manager does not match the authorized version number of the container manager from the instructions of the container, then the container may not further execute or perform operations of its instructions.
  • Accordingly, aspects of the present disclosure may provide for a secure computation environment where a bootloader of a system or a device may verify a container manager that may further provide a framework for the execution of user code in the form of containers. Furthermore, the containers may further verify the container manager so that the execution of the containers may be performed in a secure computation environment.
  • Fig. 1 illustrates an example secure computation environment 100 with a bootloader 110, a container manager 121 stored in a read-only memory 120, and one or more containers 130. In general, the secure computation environment 100 may correspond to a portion of a system or a device that provides a secure computation environment for one or more containers 130.
  • As shown in Fig. 1 , the secure computation environment 100 may include a bootloader 110 that interacts with a container manager 121 that is stored in a read-only memory (ROM) 120 of a device that includes the secure computation environment 100. The bootloader 110 may be a hardware-based state machine that is executed in response to an initialization (i.e., power-up) of the secure computation environment 100 or a device that includes the secure computation environment 100. Furthermore, the bootloader 110 may perform a series of power-on self-tests (e.g., a procedure performed immediately after power-on or start up) of the secure computation environment 100. The self tests performed by the bootloader 110 may include a verification or performance test of the hardware components of the secure computation environment 100. For example, the self-tests may include a test of the CPU or processing device that is part of the secure computation environment 100. The bootloader 110 may further perform an integrity check of the contents of the ROM 120 of the secure computation environment 100. For example, the bootloader 110 may perform a verification or integrity check of the container manager 121 by retrieving the contents of the container manager 121 and computing an integrity check value of the contents of the container manager 121. The computed integrity check value may be compared with another stored integrity check value to determine the authenticity or verification of the container manager 121. The integrity check value may correspond to a hash value that is based on a hash function that is used to map digital data of arbitrary size (e.g., the contents of the container manager 121) to digital data of a fixed size (e.g., the computed integrity check value). Further details with regard to the execution of the bootloader are described in conjunction with Fig. 3 .
  • After a successful completion of the self-tests, the bootloader 110 may initiate or execute the container manager 121 that is stored in the ROM 120. For example, the bootloader 110 may initiate the container manager 121 after verifying the CPU and the ROM 120 or other memory of the secure computation environment 100. The control of the CPU or other hardware resources of the secure computation environment 100 may then be provided from the bootloader 110 to the container manager 121. In some embodiments, the container manager 121 may correspond to a trusted embedded light-weight software that provides functionality to hardware resources and software resources of the secure computation environment. For example, the container manager 121 may provide an application programming interface (API) that defines functionalities such as system calls to access software resources or hardware resources of the secure computation environment 100. The container manager 121 may further receive one or more containers 130 that correspond to untrusted user code that is received from outside of the secure computation environment 100. The container manager 121 may verify permissions of a received container 130 to access resources of the secure computation environment 100, verify the authenticity of the received container 130, and provide a framework for communication between containers 130 as well as communication between containers 130 and external entities or components that are external to the secure computation environment 100. Further details with regard to the container manager 121 are disclosed in conjunction with Figs. 5A-10 .
  • The container manager 121 may be executed in response to receiving one of the containers 130 or in response to one of the containers 130 executing a system call to access resources of the secure computation environment 100. After a verification of a received container, the container manager 121 may provide control of the CPU or processing device of the secure computation environment 100 to the received container. Each of the one or more containers 130 may further correspond to untrusted user code that provides instructions and/or data for accessing resources of the secure computation environment 100. As described in additional detail with regard to Fig. 5A , the containers 130 may be received in a series so that the resources of the secure computation environment 100 are timeshared between the containers 130.
  • Fig. 2 illustrates an example architecture 200 of a secure computation environment. In general, the architecture 200 may include a bootloader 210 that corresponds to the bootloader 110 of Fig. 1 , a container manager 250 that corresponds to the container manager 121 of Fig. 1 , and a container 240 that corresponds to the one or more containers 130 of Fig. 1 .
  • As shown in Fig. 2 , the architecture 200 may include the bootloader 210 that controls a CPU 220 or other such processing device, a container manager 250 that is stored in ROM or other such memory, and a container 240 that is stored in static random access memory (SRAM) or other such memory. A memory bus 230 may couple the container 240 and the container manager 250 with the bootloader 210 and other resources 232A-H of the architecture 200.
  • The architecture 200 may include a resource enforcement core 260 that enforces control or access to the resources 232A-H of the architecture 200. Such resources may include, but are not limited to, one-time programmable (OTP) memory writes or burns, OTP reads, feature reads, feature writes, reading of cryptographic keys, updating of cryptographic keys, general purpose input/output (GPIO) reads, GPIO writes, an ability to execute code or instructions via or on the CPU 220, access to an executable region of the SRAM, read access to a particular portion of any such memory, write access to a particular portion of such memory, etc. The accesses may be fine grained. For example, the resource enforcement core may allow write access to one byte of the OTP but not to the next byte. Other resources may include access to functionality of cores 251 that are stored in ROM. Such cores 251 may correspond to elliptic curve cryptography (ECC) key generation, ECC signature verification, ECC signature generation, cryptographic key exchange, RSA key generation, RSA encryption or decryption, Advanced Encryption Standard (AES) encryption or decryption, SHA-2 or SHA-3 functionalities etc. In some embodiments, the resource enforcement core 260 may be programmed by the container manager 250 before the execution of each container 240. For example, a container 240 may include an identification of permissions to the features or resources 232A-H and the container manager 250 may program registers or memory of the resource enforcement core 260 based on the permissions of a container 240 that is to be executed. Thus, the resource enforcement core 260 may enforce access to the resources 232AH via a secure bus 231 for containers 240 that have been verified by the container manager 250. In some embodiments, one or more of the resources 232A-H may be coupled to external components of a device that includes the architecture 200. For example, a resource 232B may be coupled to another system on a chip (SoC), OTP memory, a random number generator component, or other such components that are external to the secure computation environment.
  • Fig. 3 is a flow diagram of an example method 300 to provide a secure computation environment. In general, the method 300 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the method 300 corresponds to an execution flow between the bootloader 110 or 210 of Figs. 1 or 2 , the container manager 121 or 250 of Figs. 1 or 2 , and a container 130 or 240 of Figs. 1 or 2 .
  • As shown in Fig. 3 , the method 300 may begin with the processing logic performing a verification of a secure computation environment in response to an initialization of a system or a device that includes the secure computation environment (block 310). For example, a bootloader may perform a self-test of the secure computation environment that verifies hardware resources and a container manager. The processing logic may further provide access to a CPU to a container manager after the verification of the secure computation environment (block 320). For example, the control of the CPU may be transferred from the bootloader to the container manager and the container manager may be initiated or executed. The processing logic may further receive a container (block 330). For example, executable code may be received. The processing logic may subsequently execute the container manager in response to receiving the container (block 340). For example, the container manager may be executed each time that a container is received. Thus, in some embodiments, containers may be received in a series so that the containers timeshare the resources of the secure computation environment. The container manager may be separately executed each time that one of the containers is received. Thus, if a first container is received and a subsequent container is received, the container manager is executed a first time in response to receiving the first container and the container manager may be again executed a second time in response to receiving the subsequent container. As such, the container manager may be executed on-demand based on the receiving of containers. In some embodiments, the container manager may be executed after the received container initiates a system call to access a resource of the secure computation environment. The processing logic may verify the container based on the container manager (block 350). In response to the verification of the container by the container manager, the processing logic may further execute the container (block 360). For example, control or access to the CPU may be provided so that instructions of the container are executed. Thus, access or control of the CPU may be provided from the container manager to the container.
  • Fig. 4 is a flow diagram of an example method 400 to execute a bootloader of a secure computation environment. In general, the method 400 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the method 400 corresponds to an execution flow of the bootloader 110 or 210 of Figs. 1 or 2 .
  • As shown in Fig. 4 , the method 400 may begin with the processing logic detecting an initialization of a secure computation environment (block 410). For example, a device or system that includes the secure computation environment may be powered on or initiated after a reset. The processing logic may subsequently perform a self-test of the secure computation environment (block 420). For example, a hardware-based state machine may perform a series of steps or tests of one or more components of the secure computation environment. An example of such a component includes, but is not limited to, a CPU or a memory of the secure computation environment. The processing logic may further retrieve contents of a container manager and a stored integrity check value (block 430). For example, the contents of the container manager may be retrieved from a ROM of the secure computation environment and the stored integrity check value may be retrieved from the same ROM or another memory location within the secure computation environment. The processing logic may subsequently calculate a container manager integrity check value based on the contents of the container manager (block 440). For example, a hash function may be performed on the contents, or a portion of the contents, of the container manager to determine the container manager integrity check value.
  • The processing logic may subsequently compare the stored integrity check value with the container manager integrity check value (block 450). Furthermore, the processing logic may provide access to a CPU, or other such processing device or hardware resource, of the secure computation environment for the container manager based on the comparison of the integrity check values (block 460). For example, if the container manager integrity check value matches the stored integrity check value, then the container manager may be considered to be verified or authenticated and the access or control of the CPU may be provided to the container manager from the bootloader. However, if the container manager integrity check value does not match the stored integrity check value, then the container manager may be considered to be unverified or unauthorized and the access or control of the CPU may not be provided to the container manager from the bootloader.
  • As such, the bootloader may perform a self-test of resources of the secure computation environment and a verification of a container manager. After a successful self-test and a successful verification of the container manager, control or access to a CPU or processing device of the secure computation environment may be provided to the container manager. In some embodiments, the providing of the control or access to the CPU or processing device for a container manager may correspond to the using of the CPU or processing device for operations of the container manager.
  • Fig. 5A is a flow diagram of an example method 500 to provide timesharing of resources of a secure computation environment. In general, the method 500 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the method 500 may be performed by the container manager 121 or 250 of Figs. 1 or 2 .
  • As shown in Fig. 5A , the method 500 may begin with the processing logic receiving a first container (block 501). For example, a container manager may receive a container after an initialization or execution of the container manager. In some embodiments, the container manager may be executed after a system call for accessing of resources of the secure computation environment has been received. The processing logic may further provide access to resources of the secure computation environment to the first container (block 502). For example, access to a CPU may be provided from the container manager to the first container. The providing of the control or access to the CPU or processing device for a container may correspond to the using of the CPU or processing device for operations or instructions of the container. The processing logic may subsequently execute the first container (block 503). For example, instructions of the first container may be performed by the CPU of the secure computation environment. Further details with regard to the execution of a container are described with regard to Fig. 5B .
  • The processing logic may subsequently receive a second container after a completion of the execution of the first container (block 504). For example, the second container may be received by the container manager after the first container. The processing logic may then provide access to resources of the secure computation environment to the second container (block 505) and may execute the second container (block 506).
  • As such, the resources of the secure computation environment may be timeshared between a series of containers. For example, a portion of the resources may be provided to a first container at a first time, and the portion or another portion of the resources may be provided to a subsequent second container at a second time that is after the first time.
  • Fig. 5B is a flow diagram of an example method 509 to execute a container manager of a secure computation environment. In general, the method 509 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the method 509 may be performed by the container manager 121 or 250 of Figs. 1 or 2 .
  • As shown in Fig. 5B , the method 509 may begin with the processing logic initializing a container manager (block 510). For example, the container manager may be initiated by a bootloader. The initiation of the container manager may perform an initial setup or an initialization routine of the container manager. The processing logic may further receive a first container (block 520). Furthermore, the processing logic may execute the container manager in response to receiving the first container by providing control or access to a CPU to the container manager (block 530). The processing logic may subsequently verify the first container (block 540). For example, the container manager may verify a signature of the first container. For example, the container manager may access a public key and verify a signature of the first container that is created by a corresponding private key (e.g., of a public-private key pair). For example, the container manager may access a symmetric key and may use a hash message authentication code (HMAC) operation to verify a signature of the first container that is created by a corresponding key. For example, the container manager may unconditionally consider the first container to be verified. In some embodiments, the container manager may further verify other properties of the container such as a format of the container, a version of the container, etc. In some embodiments, the verification of the container may further include a determination of the permissions of the container to access resources of the secure computation environment. After the verification of the container, one or more registers accessed by a resource enforcement core may be updated to reflect the permissions associated with the container to access the resources of the secure computation environment. In some embodiments, the container manager may dynamically modify the registers in the resource enforcement core as the container executes. Such a dynamic modification may change the permission granted to the container dynamically. For example, the container manager may provide an application programming interface (API) for the container to facilitate the updating of the registers. The processing logic may subsequently execute the first container in response to the verification of the first container by providing control or access of a CPU to the first container (block 550). For example, instructions of the first container may be executed by the CPU if the container satisfies particular cryptographic properties (e.g., the cryptographic signature is valid). The processing logic may further detect a completion of the execution of the first container (block 560). Subsequently, the processing logic may provide control of the CPU to the container manager (block 570). For example, the control or access to the CPU may be returned to the container manager from the container. The processing logic may further store state information of the first container into a memory (block 580). For example, the first container may store some data in the IPC memory or register for subsequent containers to use. For example, the first container may allow a subsequent container to operate with some of the permissions attributed to the first container. For example, the container manager may track the number of containers run so far and may provide this information to the containers or to the HLOS memory or register.
  • The container manager may use an identification of a container to decide which resources the container may have access to. For example, the identification of a container may be its hash (e.g., SHA-2 or SHA-3). For example, the identification may be the container's public key cryptography signature (e.g., ECSDA), or the public key corresponding to the private key to generate the signature. For example, the identification may be the container's HMAC. Optionally, the identification may also include a version number or revision number of the container that identifies a revision history of the executable code of the container. Optionally, the identification may be a hash of a combination of various fields (e.g., the identification is the result of an SHA-2 operation of the public key and revision number of the container).
  • As such, the container manager may be executed in response to the receiving of a container and any other subsequent containers. Control or access to a CPU or other hardware resources of a secure computation environment may be provided to a container in response to a verification of the container by the container manager. After the completion of the execution of the container, the control or access to the CPU may be returned to the container manager and state information of the container that was executed may be stored in a memory of the secure computation environment.
  • Fig. 6 is a flow diagram of an example method 600 to update a container manager. In general, the method 600 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the method 600 may be performed by the container manager 121 or 250 or another component of a secure computation environment of Figs. 1 or 2 .
  • As shown in Fig. 6 , the method 600 may begin with the processing logic receiving a request to update a container manager (block 610). For example, the request to update the container manager may identify a particular instruction or operation of the container manager and a memory address location for the contents of the instruction or operation. The processing logic may further retrieve a function table associated with the container manager (block 620). The function table may correspond to ordered pairs of entries where a first entry of a pair identifies a particular type of instruction or operation and the second entry of the pair identifies a memory address location that includes contents for the instruction or operation. The processing logic may subsequently update at least one field of the function table that corresponds to the memory address (block 630). For example, the function table may be stored in a memory where the memory may be modified to change a memory address location to a new memory address location.
  • The execution of the container manager may be based on a use of the function table. For example, the container manager may be used with the function table to perform instructions or operations based on the memory address location corresponding to an instruction or operation. Thus, the updating of the container manager may result in a change of a memory address location for at least one instruction or operation of the container manager.
  • Referring to Fig. 6 , the processing logic may increment a version number associated with the container manager in response to the updating of the function table (block 640). For example, the version number located in a memory location may be incremented or increased in response to the updating of the container manager. In some embodiments, the version number may be stored by the bootloader in OTP or other non-volatile medium (NVM). The bootloader may restrict any containers from execution if the current version number is not higher or equal to the maximum of all the previously stored version numbers. In some embodiments, the version number of the container manager may be provided to containers. Each container may retrieve the version number of the container manager and may compare the version number of the container manager to a version number identified within the container. If the version number of the container manager does not match the version number identified within the container, then the container may not execute (e.g., the instructions of the container manager may not be performed). However, if the version number of the container manager does match the version number identified within the container, then the container may execute. As such, the version number of the container manager may be used by a container to verify the container manager before the execution of the container.
  • Fig. 7 illustrates an example environment 700 of a container manager interacting with one or more containers. In general, the environment 700 may include a container manager 720 that corresponds to the container manager 121 or 250 of Figs. 1 or 2 .
  • As shown in Fig. 7 , the environment 700 may include a container manager 720 that receives one or more containers 710. The container manager 720 may further be coupled to a high level operating system (HLOS) register or memory 730 and an inter-process communication (IPC) register or memory 740. The container manager 720 may execute one of the containers 710 and may provide an indication of a request for data from the executed container to a component that is external to the secure computation environment via the HLOS memory 730. The container manager 720 may subsequently retrieve the data from the HLOS memory 730 and provide the data to the executed container. Further details with regard to the HLOS memory 730 are described in conjunction with Fig. 10 .
  • The container manager may further provide access to an IPC memory 740 to provide communication between at least two of the containers 710. For example, data may be received from a first container that is received and executed by the container manager 720 and the data may be stored in the IPC memory 740 for retrieval by a subsequent second container that is received by the container manager 720. Further details with regard to the IPC memory 740 are described in conjunction with Figs. 8-9 .
  • Fig. 8 illustrates an example method 800 to provide interaction between containers. In general, the method 800 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the method 800 may be performed by the container manager 121 or 250 or another component of a secure computation environment of Figs. 1 or 2 .
  • As shown in Fig. 8 , the method 800 may begin with the processing logic receiving data from a first container during the execution of the first container (block 810). The processing logic may further receive a recipient identification for the data from the first container (block 820). For example, the recipient identification may correspond to the identification of another container. The processing logic may subsequently store the received data, the recipient identification of the other container, and a sender identification of the data that corresponds to the first container in an inter-process communication (IPC) memory or register (block 830). The processing logic may subsequently execute a second container (block 840). For example, a second container may be received after the receiving and execution of the first container. The processing logic may identify that the identification of the second container matches the recipient identification for the data that is stored in the IPC memory (block 850). Furthermore, the processing logic may provide access to the data and the sender identification at the IPC memory to the second container (block 860).
  • In some embodiments, the second container may execute instructions with the data from the IPC memory based on a condition associated with the sender identification of the data. For example, the instructions may be executed if the sender identification matches a particular sender identification from the second container or the instructions may not be executed if the sender identification does not match a particular sender identification from the second container.
  • As such, data from a first container may be stored in a memory location of a secure computation environment. A second container that is executed after the first container may be provided access to the data at the memory location.
  • Fig. 9 illustrates an example of containers interacting with a memory. In general, a container manager 910, which may correspond to the container manager 121 or 250 of Figs. 1 or 2 , may provide interaction between containers based on an IPC memory 940.
  • As shown in Fig. 9 , the container manager 910 may be coupled to an IPC memory 940 and a container pipeline 924. The container pipeline 924 may include a first container 920 'A,' a second container 921 'B,' and a third container 922 'C.' The container manager 910 may receive the first container 920 'A' which may be executed. The instructions of the first container 920 'A' may specify for data A to be stored in the IPC memory 940 for the third container 922 'C.' For example, the container manager 910 may store an entry in the IPC memory 940 that includes the data A, an identification of the first container 920 (e.g., sender 'A'), and a recipient of the data (e.g., recipient 'C'). The container manager 910 may subsequently receive the second container 921 'B' after the completion of the execution of the first container 920 'A.' The second container 921 'B' may not be allowed access to the data in the IPC memory 940 as the identification of the second container 921 (e.g., 'B') does not match the recipient identification of the data (e.g., 'C'). At a later time, the container manager 910 may receive the third container 922 'C.' Since the identification of the third container 922 (e.g., 'C') matches the recipient identification for the data in the IPC memory 940, the container manager 910 may provide access to the data in the IPC memory 940 to the third container 922 with the identification of 'C.'
  • Fig. 10 illustrates an example method 1000 of a container interacting with a component outside of the secure computation environment. In general, the method 1000 may be performed by processing logic that may comprise hardware (e.g., processing device, circuitry, dedicated logic, programmable logic, microcode, hardware of a device, integrated circuit, etc.), software (e.g., instructions run or executed on a processing device), or a combination thereof. In some embodiments, the method 1000 may be performed by the container manager 121 or 250 or another component of a secure computation environment of Figs. 1 or 2 .
  • As shown in Fig. 10 , the method 1000 may begin with the processing logic receiving a request from a container for data that is external to a secure computation environment (block 1010). For example, the data may correspond to data that is received from a component of a device that is not within the secure computation environment. The processing logic may subsequently provide an indication of the request from the container in a high level operating system (HLOS) memory or register (block 1020). For example, a container manager may modify the contents of an HLOS memory to indicate that a component within the secure computation environment has requested data from a component that is coupled to the HLOS memory. The processing logic may subsequently receive the data from an entity that is external to the secure computation environment via the HLOS memory (block 1030). For example, the component that is not within the secure computation environment may provide the data that has been requested by storing the data into the HLOS memory. Furthermore, the processing logic may provide the data form the HLOS memory to the container (block 1040). For example, the container manager may retrieve the data that has been stored in the HLOS memory and may provide the data to the container for execution by the container.
  • In some embodiments, the HLOS memory may be the only memory locations within the secure computation environment that are accessible to entities or components that are external to the secure computation environment.
  • Fig. 11 illustrates an example machine of a computer system 1100 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. In alternative implementations, the machine may be connected (e.g., networked) to other machines in a LAN, an intranet, an extranet, and/or the Internet. The machine may operate in the capacity of a server or a client machine in client-server network environment, as a peer machine in a peer-to-peer (or distributed) network environment, or as a server or a client machine in a cloud computing infrastructure or environment.
  • The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single machine is illustrated, the term "machine" shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
  • The example computer system 1100 includes a processing device 1102, a main memory 1104 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM) such as synchronous DRAM (SDRAM) or Rambus DRAM (RDRAM), etc.), a static memory 1106 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 1118, which communicate with each other via a bus 1130.
  • Processing device 1102 represents one or more general-purpose processing devices such as a microprocessor, a central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computing (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 1102 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 1102 is configured to execute instructions 1126 for performing the operations and steps discussed herein.
  • The computer system 1100 may further include a network interface device 1108 to communicate over the network 1120. The computer system 1100 also may include a video display unit 1110 (e.g., a liquid crystal display (LCD) or a cathode ray tube (CRT)), an alphanumeric input device 1112 (e.g., a keyboard), a cursor control device 1114 (e.g., a mouse), a graphics processing unit 1122, a signal generation device 1116 (e.g., a speaker), graphics processing unit 1122, video processing unit 1128, and audio processing unit 1132.
  • The data storage device 1118 may include a machine-readable storage medium 1124 (also known as a computer-readable medium) on which is stored one or more sets of instructions or software 1126 embodying any one or more of the methodologies or functions described herein. The instructions 1126 may also reside, completely or at least partially, within the main memory 1104 and/or within the processing device 1102 during execution thereof by the computer system 1100, the main memory 1104 and the processing device 1102 also constituting machine-readable storage media.
  • In one implementation, the instructions 1126 include instructions to implement functionality corresponding to a container manager (e.g., container manager 121 or 200 Figs. 1 or 2 ). While the machine-readable storage medium 1124 is shown in an example implementation to be a single medium, the term "machine-readable storage medium" should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. The term "machine-readable storage medium" shall also be taken to include any medium that is capable of storing or encoding a set of instructions for execution by the machine and that cause the machine to perform any one or more of the methodologies of the present disclosure. The term "machine-readable storage medium" shall accordingly be taken to include, but not be limited to, solid-state memories, optical media and magnetic media.
  • Some portions of the preceding detailed descriptions have been presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the ways used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of operations leading to a desired result. The operations are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like.
  • It should be borne in mind, however, that all of these and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. Unless specifically stated otherwise as apparent from the above discussion, it is appreciated that throughout the description, discussions utilizing terms such as "identifying" or "determining" or "executing" or "performing" or "collecting" or "creating" or "sending" or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers or other such information storage devices.
  • The present disclosure also relates to an apparatus for performing the operations herein. This apparatus may be specially constructed for the intended purposes, or it may comprise a general purpose computer selectively activated or reconfigured by a computer program stored in the computer. Such a computer program may be stored in a computer readable storage medium, such as, but not limited to, any type of disk including floppy disks, optical disks, CD-ROMs, and magnetic-optical disks, read-only memories (ROMs), random access memories (RAMs), EPROMs, EEPROMs, magnetic or optical cards, or any type of media suitable for storing electronic instructions, each coupled to a computer system bus.
  • The algorithms and displays presented herein are not inherently related to any particular computer or other apparatus. Various general purpose systems may be used with programs in accordance with the teachings herein, or it may prove convenient to construct a more specialized apparatus to perform the method. The structure for a variety of these systems will appear as set forth in the description below. In addition, the present disclosure is not described with reference to any particular programming language. It will be appreciated that a variety of programming languages may be used to implement the teachings of the disclosure
    as described herein.
  • The present disclosure may be provided as a computer program product, or software, that may include a machine-readable medium having stored thereon instructions, which may be used to program a computer system (or other electronic devices) to perform a process according to the present disclosure. A machine-readable medium includes any mechanism for storing information in a form readable by a machine (e.g., a computer). For example, a machine-readable (e.g., computer-readable) medium includes a machine (e.g., a computer) readable storage medium such as a read only memory ("ROM"), random access memory ("RAM"), magnetic disk storage media, optical storage media, flash memory devices, etc.
  • In the foregoing disclosure, implementations of the disclosure have been described with reference to specific example implementations thereof. It will be evident that various modifications may be made thereto without departing from the scope of implementations of the disclosure as set forth in the following claims. The disclosure and drawings are, accordingly, to be regarded in an illustrative sense rather than a restrictive sense.

Claims (15)

  1. A method comprising:
    receiving a container (130) corresponding to executable code or instructions as well as permissions to access certain functionality or resources of a computation environment of a device;
    in response to the receiving of the container (130), executing a container manager (121) resident in a memory of the computation environment to verify the container (130),
    wherein the container manager (121) is verified by a boot loader (110) of the computation environment;
    determining permissions of the container (130) to access resources of the computation environment after the verification of the container (130) by the container manager (121); and
    providing, by the processing device, access to one or more resources of the computation environment by transferring control of the one or more resources from the container manager (121) to the container (130) based on the permissions of the container for the resources of the computation environment.
  2. The method of claim 1, further comprising:
    receiving data from the container (130), wherein the data is for a second container (130); and storing the data and an identification of the second container in another memory of the computation environment.
  3. The method of claim 2, further comprising:
    receiving the second container (130) after a completion of an execution of the container (130), wherein the second container (130) corresponds to additional executable code; and
    providing the data from the another memory of the computation environment to the second container (130) in response to an identification of the second container (130) matching the identification of the second container (130) in the another memory of the computation environment.
  4. The method of one of the preceding claims, the method further comprising:
    receiving a version number associated with the container manager (121); and
    executing the container (130) based on a comparison of the version number associated with the container manager (121) and another version number associated with the container manager (121) stored in the container (130).
  5. The method of one of the preceding claims, further comprising:
    receiving, from the container (130), a request to receive data from a component that is external to the computation environment; and
    storing an indication of the request to receive data into another memory of the computation environment, wherein the another memory is accessed by the component that is external to the computation environment.
  6. The method of one of the preceding claims, further comprising:
    executing the container (130); and
    after the executing of the container, storing state information associated with the container in another memory of the computation environment, in particular wherein the verification of the container corresponds to a verification of a cryptographic signature of the container.
  7. A system comprising:
    a memory; and
    a processing device operatively coupled with the memory to:
    receive a container corresponding to executable code or instructions as well as permissions to access certain functionality or resources of a computation environment of the device;
    in response to the receiving of the container (130), execute a container manager (121) resident in the memory of the computation environment to verify the container (130),
    wherein the container manager is verified by a boot loader (110) of the computation environment; determine permissions of the container (130) to access resources of the computation environment after the verification of the container (130) by the container manager (121); and provide access to one or more resources of the computation environment by transferring control of the one or more resources from the container manager (121) to the container (130) based on the permissions of the container (130) for the resources of the computation environment.
  8. The system of claim 7, wherein the processing device is further to:
    receive data from the container (130), wherein the data is for a second container (130); and store the data and an identification of the second container (130) in another memory of the computation environment.
  9. The system of claim 8, wherein the processing device is further to:
    receive the second container (130) after a completion of an execution of the container (130), wherein the second container (130) corresponds to additional executable code; and
    provide the data from the another memory of the computation environment to the second container (130) in response to an identification of the second container (130) matching the identification of the second container in the another memory of the computation environment.
  10. The system of one of claims 7 to 9, wherein the processing device is further to:
    receive a version number associated with the container manager (121); and
    execute the container (130) based on a comparison of the version number associated with the container manager and another version number associated with the container manager (121) stored in the container (130).
  11. The system of one of claims 7 to 10, wherein the processing device is further to:
    receive, from the container (130), a request to receive data from a component that is external to the computation environment; and
    store an indication of the request to receive data into another memory of the computation environment, wherein the another memory of the computation environment is accessed by the component that is external to the computation environment.
  12. The system of one of claims 7 to 11, wherein the processing device is further to:
    execute the container (130); and
    after the executing of the container (130), store state information associated with the container (130) in another memory of the computation environment, in particular wherein the verification of the container (130) corresponds to a verification of a cryptographic signature of the container.
  13. A non-transitory computer readable medium comprising instructions that, when executed by a processing device, cause the processing device to perform operations comprising:
    receiving a container (130) corresponding to executable code or instructions as well as permissions to access certain functionality or resources of a computation environment of the device;
    in response to the receiving of the container (130), executing a container manager resident in a memory of the computation environment to verify the container (130), wherein the container manager is verified by a boot loader (110) of the computation environment;
    determining permissions of the container (130) to access resources of the computation environment after the verification of the container by the container manager (121); and
    providing access to one or more resources of the computation environment by transferring control of to the one or more resources from the container manager (121) to the container (130) based on the permissions of the container (130) for the resources of the computation environment.
  14. The non-transitory computer readable medium of claim 13, the operations further comprising:
    receiving data from the container (130), wherein the data is for a second container (130); and storing the data and an identification of the second container (130) in another memory of the computation environment,, in particular the operations further comprising:
    receiving the second container (130) after a completion of an execution of the container (130), wherein the second container (130) corresponds to additional executable code; and
    providing the data from the another memory of the computation environment to the second container (130) in response to an identification of the second container (130) matching the identification of the second container (130) in the another memory of the computation environment
  15. The non-transitory computer readable medium of one of claims 13 or 14, the operations further comprising:
    receiving a version number associated with the container manager (121); and
    executing the container (130) based on a comparison of the version number associated with the container manager (121) and another version number associated with the container manager (121) stored in the container (130), and/or when the operations further comprising:
    receiving, from the container (130), a request to receive data from a component that is external to the computation environment; and
    storing an indication of the request to receive data into another memory of the computation environment, wherein the memory is accessed by the component that is external to the computation environment, and /or when the operations further comprising:
    executing the container (130); and
    after the executing of the container (130), storing state information associated with the container (130) in another memory of the computation environment.
EP16839800.6A 2015-08-21 2016-08-10 Secure computation environment Active EP3338214B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201562208490P 2015-08-21 2015-08-21
PCT/US2016/046428 WO2017034811A1 (en) 2015-08-21 2016-08-10 Secure computation environment

Publications (3)

Publication Number Publication Date
EP3338214A1 EP3338214A1 (en) 2018-06-27
EP3338214A4 EP3338214A4 (en) 2019-01-16
EP3338214B1 true EP3338214B1 (en) 2020-12-16

Family

ID=58100754

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16839800.6A Active EP3338214B1 (en) 2015-08-21 2016-08-10 Secure computation environment

Country Status (5)

Country Link
US (2) US11250134B2 (en)
EP (1) EP3338214B1 (en)
JP (1) JP6769999B2 (en)
CN (2) CN107924440B (en)
WO (1) WO2017034811A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10528749B2 (en) 2017-03-20 2020-01-07 Huawei Technologies Co., Ltd. Methods and apparatus for containerized secure computing resources
CN109002256B (en) * 2018-05-04 2022-12-06 中国信息安全研究院有限公司 Storage system for trusted computing environment
CN111124956B (en) * 2019-11-22 2023-03-07 海光信息技术股份有限公司 Container protection method, processor, operating system and computer equipment
US20230131132A1 (en) * 2021-10-21 2023-04-27 Nokia Solutions And Networks Oy Securing containerized applications

Family Cites Families (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7631188B2 (en) 1997-05-16 2009-12-08 Tvworks, Llc Hierarchical open security information delegation and acquisition
US20060010136A1 (en) * 1999-01-28 2006-01-12 Deangelo Michael System and method for creating and manipulating information containers with dynamic registers
EP1762958A1 (en) * 1999-03-08 2007-03-14 Spyrus, Inc. Method and system for enforcing access to a computing resource using a licensing certificate
JP2001175606A (en) * 1999-12-20 2001-06-29 Sony Corp Data processor, and data processing equipment and its method
US7316027B2 (en) 2004-02-03 2008-01-01 Novell, Inc. Techniques for dynamically establishing and managing trust relationships
US7382880B2 (en) 2004-01-26 2008-06-03 Hewlett-Packard Development Company, L.P. Method and apparatus for initializing multiple security modules
US8271783B2 (en) 2004-04-19 2012-09-18 Hewlett-Packard Development Company, L.P. Subordinate trusted platform module
US7565522B2 (en) * 2004-05-10 2009-07-21 Intel Corporation Methods and apparatus for integrity measurement of virtual machine monitor and operating system via secure launch
US8332653B2 (en) * 2004-10-22 2012-12-11 Broadcom Corporation Secure processing environment
US7917753B2 (en) * 2005-05-16 2011-03-29 Texas Instruments Incorporated Transferring control between programs of different security levels
DE602005018215D1 (en) * 2005-09-29 2010-01-21 Research In Motion Ltd System and method for registering data units for code signing services
US8341747B2 (en) * 2006-08-08 2012-12-25 International Business Machines Corporation Method to provide a secure virtual machine launcher
JP5007867B2 (en) 2007-05-11 2012-08-22 ナグラスター エル.エル.シー. Apparatus for controlling processor execution in a secure environment
US7865712B2 (en) * 2007-12-26 2011-01-04 Intel Corporation Method and apparatus for booting a processing system
US8621551B2 (en) 2008-04-18 2013-12-31 Samsung Electronics Company, Ltd. Safety and management of computing environments that may support unsafe components
US8510805B2 (en) * 2008-04-23 2013-08-13 Samsung Electronics Co., Ltd. Safe and efficient access control mechanisms for computing environments
US8196213B2 (en) * 2008-07-11 2012-06-05 Microsoft Corporation Verification of un-trusted code for consumption on an insecure device
GB2466071B (en) * 2008-12-15 2013-11-13 Hewlett Packard Development Co Associating a signing key with a software component of a computing platform
US8510569B2 (en) * 2009-12-16 2013-08-13 Intel Corporation Providing integrity verification and attestation in a hidden execution environment
US9087200B2 (en) * 2009-12-22 2015-07-21 Intel Corporation Method and apparatus to provide secure application execution
US20110246778A1 (en) * 2010-03-31 2011-10-06 Emc Corporation Providing security mechanisms for virtual machine images
CN102473220B (en) * 2010-05-07 2015-06-17 松下电器产业株式会社 Information processing device, information processing method, and program distribution system
US8700895B1 (en) 2010-06-30 2014-04-15 Google Inc. System and method for operating a computing device in a secure mode
US9104514B2 (en) * 2011-01-11 2015-08-11 International Business Machines Corporation Automated deployment of applications with tenant-isolation requirements
US8924770B2 (en) * 2011-07-06 2014-12-30 Cleversafe, Inc. Rebuilding a data slice of a maintenance free storage container
US8843764B2 (en) 2011-07-15 2014-09-23 Cavium, Inc. Secure software and hardware association technique
CN102289631B (en) * 2011-08-12 2014-12-10 无锡城市云计算中心有限公司 Method for realizing virtual safety computing environment
US8874916B2 (en) 2012-09-28 2014-10-28 Intel Corporation Introduction of discrete roots of trust
US9009705B2 (en) * 2012-10-01 2015-04-14 International Business Machines Corporation Authenticated distribution of virtual machine images
US9396011B2 (en) * 2013-03-12 2016-07-19 Qualcomm Incorporated Algorithm and apparatus to deploy virtual machine monitor on demand
US10198572B2 (en) * 2013-09-17 2019-02-05 Microsoft Technology Licensing, Llc Virtual machine manager facilitated selective code integrity enforcement
US10044695B1 (en) * 2014-09-02 2018-08-07 Amazon Technologies, Inc. Application instances authenticated by secure measurements
US9729579B1 (en) * 2015-04-27 2017-08-08 Symantec Corporation Systems and methods for increasing security on computing systems that launch application containers

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None *

Also Published As

Publication number Publication date
JP6769999B2 (en) 2020-10-14
US11250134B2 (en) 2022-02-15
EP3338214A1 (en) 2018-06-27
JP2018523930A (en) 2018-08-23
CN107924440B (en) 2022-07-01
US20180181760A1 (en) 2018-06-28
CN107924440A (en) 2018-04-17
EP3338214A4 (en) 2019-01-16
CN115062291A (en) 2022-09-16
US20220382874A1 (en) 2022-12-01
WO2017034811A1 (en) 2017-03-02

Similar Documents

Publication Publication Date Title
US20200272739A1 (en) Performing an action based on a pre-boot measurement of a firmware image
CN109669734B (en) Method and apparatus for starting a device
KR102244645B1 (en) Management of authenticated variables
EP2854066B1 (en) System and method for firmware integrity verification using multiple keys and OTP memory
US20220382874A1 (en) Secure computation environment
US20160350534A1 (en) System, apparatus and method for controlling multiple trusted execution environments in a system
US9167002B2 (en) Global platform health management
US8464047B2 (en) Method and apparatus for authorizing host to access portable storage device
US9164925B2 (en) Method and apparatus for authorizing host to access portable storage device
EP3384423B1 (en) Device with multiple roots of trust
US11664970B2 (en) Providing access to a hardware resource based on a canary value
US10776493B2 (en) Secure management and execution of computing code including firmware
US20220006637A1 (en) File system supporting remote attestation-based secrets
Carpent et al. Temporal consistency of integrity-ensuring computations and applications to embedded systems security
US20200202004A1 (en) Secure initialization using embedded controller (ec) root of trust
KR20220090537A (en) Validate Virtual Environment Type for Policy Enforcement
CN106980800B (en) Measurement method and system for authentication partition of encrypted solid state disk
CN112511306A (en) Safe operation environment construction method based on mixed trust model
US9064118B1 (en) Indicating whether a system has booted up from an untrusted image
Song et al. TZ-IMA: Supporting Integrity Measurement for Applications with ARM TrustZone
US20240037216A1 (en) Systems And Methods For Creating Trustworthy Orchestration Instructions Within A Containerized Computing Environment For Validation Within An Alternate Computing Environment
Umar et al. Trusted Execution Environment and Host Card Emulation

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20180321

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
A4 Supplementary search report drawn up and despatched

Effective date: 20181213

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 9/4401 20180101ALI20181207BHEP

Ipc: G06F 21/51 20130101AFI20181207BHEP

Ipc: H04L 9/32 20060101ALI20181207BHEP

Ipc: G06F 21/57 20130101ALI20181207BHEP

Ipc: G06F 21/56 20130101ALI20181207BHEP

Ipc: G06F 21/44 20130101ALI20181207BHEP

Ipc: H04W 12/08 20090101ALI20181207BHEP

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: EXAMINATION IS IN PROGRESS

17Q First examination report despatched

Effective date: 20190813

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20200716

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602016050004

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1346239

Country of ref document: AT

Kind code of ref document: T

Effective date: 20210115

REG Reference to a national code

Ref country code: NL

Ref legal event code: FP

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210316

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1346239

Country of ref document: AT

Kind code of ref document: T

Effective date: 20201216

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210316

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210416

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602016050004

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210416

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

26N No opposition filed

Effective date: 20210917

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20210831

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210831

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210831

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210416

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210810

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210810

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210831

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20160810

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20201216

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: NL

Payment date: 20230826

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230828

Year of fee payment: 8

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230825

Year of fee payment: 8

Ref country code: DE

Payment date: 20230829

Year of fee payment: 8